ssl.template.erb 5.92 KB
Newer Older
Steve Kemp's avatar
Steve Kemp committed
1
2
3
4
####
##
#
#  This file is automatically generated from the template located at
5
#  /etc/symbiosis/apache.d/ssl.template.erb.
Steve Kemp's avatar
Steve Kemp committed
6
#
7
8
#  Feel free to make changes to this file, and thereafter it will not be
#  automatically updated if the template, or SSL configuration changes.
Steve Kemp's avatar
Steve Kemp committed
9
10
11
#
#  For SSL documenation please consult:
#
12
#  http://symbiosis.bytemark.co.uk/jessie/docs/ch-ssl-hosting.html
Steve Kemp's avatar
Steve Kemp committed
13
14
15
16
#
##
###

17
<VirtualHost <%= ips.collect{|ip| ip+":443"}.join(" ") %>>
18

19
20
21
        #
        # Put our server name 
        #
22
        ServerName  <%= domain %>
23

24
25
26
27
        #
        # This is the testing alias.
        #
        ServerAlias <%= domain %>.testing.<%= hostname() %>
28

29
30
31
        #
        # And server alias in place
        #
32
        <%= server_aliases %>
Steve Kemp's avatar
Steve Kemp committed
33

34

35
        <IfModule ssl_module>
36
                SSLEngine On
37

38
39
40
41
                #
                # The certificate, key, and intermediate bundle (if needed)
                #
                <%= ssl_config %>
42

43
                #
44
45
                # Intermediate configuration, taken from 
                # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=apache-2.4.10&openssl=1.0.1k&hsts=yes&profile=intermediate
46
                #
47
                SSLProtocol             all -SSLv3
Patrick J Cherry's avatar
Patrick J Cherry committed
48
                SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
Patrick J Cherry's avatar
Patrick J Cherry committed
49

50
51
                SSLHonorCipherOrder     on
                SSLCompression          off
Patrick J Cherry's avatar
Patrick J Cherry committed
52

53
54
55
56
57
58
59
                #
                # OCSP Stapling -- make sure you remove the reject-www-data
                # rule from the outgoing firewall if you use this.
                #
                SSLUseStapling          off
                SSLStaplingResponderTimeout 5
                SSLStaplingReturnResponderErrors off
James Carter's avatar
James Carter committed
60

61
% if mandatory_ssl?
62
                <IfModule headers_module>
63
64
65
                        # HSTS (mod_headers is required) (15768000 seconds = 6 months)
                        Header always set Strict-Transport-Security "max-age=15768000"
                </IfModule>
66
% end
67
        </IfModule>
Steve Kemp's avatar
Steve Kemp committed
68
69
70
71

        #
        #  Allow users to override settings via .htaccess
        #
72
        <Directory <%=domain_directory%> >
Steve Kemp's avatar
Steve Kemp committed
73
                AllowOverride all
74
                Require all granted
Steve Kemp's avatar
Steve Kemp committed
75
76
77
78
79
        </Directory>

        #
        #  The document root
        #
80
        DocumentRoot <%= htdocs_directory %>/
Steve Kemp's avatar
Steve Kemp committed
81

82
        <IfModule cgi_module>
83
84
85
86
                #
                # General CGI Handling
                #
                ScriptAlias /cgi-bin/ <%= cgibin_directory %>/
87

88
89
90
91
                <Location /cgi-bin>
                        Options +ExecCGI
                </Location>
        </IfModule>
Steve Kemp's avatar
Steve Kemp committed
92

93
94
95
96
97
98
99
        #
        # Disable indexes by default on the top-level.
        #
        <LocationMatch "^/+$">
                Options -Indexes
        </LocationMatch>

Steve Kemp's avatar
Steve Kemp committed
100
        #
101
        # We need to log the virtual hostname the incoming request was
Steve Kemp's avatar
Steve Kemp committed
102
103
104
        # made against, so that the cron-job in /etc/cron.daily may generate
        # statistics for each domain.
        #
105
106
        ErrorLog   "|| /usr/sbin/symbiosis-httpd-logger -u <%= domain.uid %> -g <%= domain.gid %> <%= domain.log_dir %>/ssl_error.log"
        CustomLog  "|| /usr/sbin/symbiosis-httpd-logger -u <%= domain.uid %> -g <%= domain.gid %> <%= domain.log_dir %>/ssl_access.log" combined
Steve Kemp's avatar
Steve Kemp committed
107
108
</VirtualHost>

109
<VirtualHost <%= ips.collect{|ip| ip+":80"}.join(" ") %>>
Steve Kemp's avatar
Steve Kemp committed
110

111
112
113
114
115
        #
        # Put our server name 
        #
        ServerName  <%= domain %>

116
117
118
119
        #
        # This is the testing alias.
        #
        ServerAlias <%= domain %>.testing.<%= hostname() %>
120

121
122
123
        #
        # And server alias in place
        #
124
125
        <%= server_aliases %>

126
% if mandatory_ssl?
127
        <IfModule rewrite_module>
128
                #
129
                # This redirects all accesses to the HTTPS version of the site.
130
                #
131
132
133
                RewriteEngine On

                #
134
                # Use our server nane if HTTP_HOST is empty. 
135
                #
136
                RewriteCond "%{HTTP_HOST}" =""
137
                RewriteRule ^/?(.*) https://<%= domain %>/$1 [R=301,L]
138
                RewriteRule ^/?(.*) https://%{HTTP_HOST}/$1 [R=301,L]
139
        </IfModule>
140
% else
Steve Kemp's avatar
Steve Kemp committed
141
142
143
144

        #
        #  Allow users to override settings via .htaccess
        #
145
        <Directory <%=domain_directory%> >
Steve Kemp's avatar
Steve Kemp committed
146
                AllowOverride all
147
                Require all granted
Steve Kemp's avatar
Steve Kemp committed
148
149
150
151
152
        </Directory>

        #
        #  The document root
        #
153
        DocumentRoot     <%= htdocs_directory %>/
Steve Kemp's avatar
Steve Kemp committed
154

155
        <IfModule cgi_module>
156
157
158
159
                #
                # General CGI Handling
                #
                ScriptAlias /cgi-bin/ <%= cgibin_directory %>/
160

161
162
163
164
                <Location /cgi-bin>
                        Options +ExecCGI
                </Location>
        </IfModule>
165
166
167
168
169
170
171
        
        #
        # Disable indexes by default 
        #
        <LocationMatch "^/+$">
                Options -Indexes
        </LocationMatch>
Steve Kemp's avatar
Steve Kemp committed
172
173
174
175
176
177

        #
        #  We need to log the virtual hostname the incoming request was
        # made against, so that the cron-job in /etc/cron.daily may generate
        # statistics for each domain.
        #
178
179
        ErrorLog   "|| /usr/sbin/symbiosis-httpd-logger -u <%= domain.uid %> -g <%= domain.gid %> <%= domain.log_dir %>/error.log"
        CustomLog  "|| /usr/sbin/symbiosis-httpd-logger -u <%= domain.uid %> -g <%= domain.gid %> <%= domain.log_dir %>/access.log" combined
180

181
% end
Steve Kemp's avatar
Steve Kemp committed
182
183
</VirtualHost>